I am becoming more and more drawn to stolen laptop stories much as a moth is drawn to a flame…hopefully this will result in enlightenment as opposed to burn, however!  🙂  Another story about a stolen laptop, a Boca drug salesman’s laptop is stolen.  What’s interesting about this is that the theft vicitim was a consultant for Proctar & Gamble, but the report only mentioned the value of the hardware, and not what types of files were contained on the laptop.  Wonder what kind of personal information, if any, was on the laptop?

Technorati Tags
privacy
stolen laptop

Another story was reported yesterday in the Vancouver Sun about confidential information being found on tapes the British Columbia government sold.  I’m not too surprised considering most organizations do not encrypt personal, or any, information on removable storage media, such as tapes, CDs, USB drives, and so on.  I’ve done many outsourced vendor security reviews, and I was initially surprised to see that some of them actually have within their security policies the directive to sell mobile storage media when no longer needed to try and recoup some of the investment made in it.  I’ve seen policies go into great detail about how to sell the media, on eBay and in other venues, but completely omit any mention of removing the data first.

Technorati Tags
health privacy
encrypt
personal privacy

I read a story from yesterday’s Computerworld, "Breach notification laws: When should companies tell all? Privacy experts, lawyers differ on whether more laws would help" with great interest, concern, and puzzlement at a point.  I realize that sometimes reporters twist words and put quotes into a different context to make the story more interesting.  However, there is one quote I want to pull from the article.

• "‚ÄúBreaches should not be tied to the potential criminal use of the information,‚Äù said Christopher Pierson, a lawyer with Lewis & Rocca LLP in Phoenix. ‚ÄúI find it highly unlikely that IT professionals, company officials or lawyers would be able to examine the intent of a criminal that has yet to be identified.‚Äù"

Does this logic apply to someone stealing my credit card also?  So, if someone takes my credit card, should the credit card company wait until the intent of the criminal has been identified before cancelling my card?  The main difference is that my stolen credit card is a small-scale incident; it impacts only me.  So, if the incident involves stealing thousands or millions of credit cards in a database then the intent of the criminal must first be determined?

Of course you cannot know the intent of criminals before they commit crimes.  But when computer breaches occur, the potential impact must be examined.  If someone purposefully broke into a system, it is likely they did not do it to debug  the application code or to apply a more recent security patch.  Computer crime is growing.  Many studies, such as the CERT/Secret Service Insider Threat Study, show that there is growing criminal intent involved with computer-related incidents. 

So…unless there is irrefutable evidence that someone has mucked around with and fraudulently used all the personal information that has been stolen, or found on lost storage media, or inappropriately accessed by fraudsters, we should not worry about the potential for criminal use of information that is lost, stolen, or misused by those with access to it?  I guess in the CardSystems Solutions incident last year where a network intruder stole information on 40 million people, "and according to the FTC, the security breach resulted in millions of dollars in fraudulent purchases" wasn’t anything to worry about until the fraud occurred?  I’m sure all the people who are now dealing with identity theft, identity fraud and ruined credit histories got warm fuzzies reading his opinion.

• "Similarly, requiring even companies that encrypt their data to disclose breaches, as some states mandate, is overkill, according to Herath."

While it would take some examination of the breach notification laws involved, I generally agree with this statement.  Encryption is one of the most effective security tools available to protect the confidentiality of and access to data.  New encryption solutions have made it easier to use and manage, and more economical, than ever before.  If strong encryption is used (and this could be part of the regulatory verbiage and easily verified by organizations when breaches occur), then why would notification, or the same level or type, of notification, be necessary? 

I agree that over-notifications should be avoided, but that comes from crafting thoughtful laws and identifying what those key notification triggers should be.  Over-notification definitely could have a negative impact.  But let’s get some information security and privacy experts speaking with the lawmakers to help them understand the issues and write good legislation.

There is so much more to discuss about this…

Technorati Tags
breach notification
encryption
privacy
computer crime
breach regulation

One of the activities I want to start doing is to maintain a listing of publicized HIPAA breaches, fines, judgments, potential violations, etc.  I have found many sites listing privacy breaches, but I have not been able to find a site with a listing of just HIPAA related incidents.  I’ve contacted CMS and OCR about this, and they do not have such public listings.  I was reminded of my plan to do this when reading an interesting story today about the CDC collecting medical and education records from a school district about a child with autism without seeking to obtain the parents’ consent.  Reportedly the CDC did similar actions last year.  Note that this is also a possible violation of the Family Educational Rights and Privacy Act (FERPA).

I will post other HIPAA-related incidents as I find them and dig up those from the past that I recall.

Technorati Tags
HIPAA
FERPA
CDC privacy
NAA privacy
medical privacy

Stories such as the one in Network World about how a new type of proof-of-concept computer virus can pass from a PC to a mobile computer device and delete files are very interesting.  The anti-virus vendors seem skeptical.  This is semi-deja vu.  A few years ago when the use of mobile computing devices was still in its infancy I read an article in which one of the anti-virus vendors, I thought it was McAfee, said someday it would be possible to get a computer virus just by walking past an infected wireless computer or smartphone with your wireless computing device.  I spent too long googling to try and find this article tonight…exasperating!  If any of you find it, please let me know! 

However, seems like this possibility has been discussed for a few years now, and appears that someday all computing devices will be wireless, and thus capable of communicating easily with each other, via one route or another, won’t they?  The use of wireless in business is increasing daily.  A 2005 study reported 93.5% of responding companies used wireless somewhere within their organization, and 48% of the employees had access to use wireless technology.   

I’m certainly not a computer virus guru, but based upon programming and wireless concepts, the threat of these kind of virtual air-born viruses make sense.  I would be interested in seeing how many viruses that exist today started out as "proof of concept" viruses…basically didn’t they all?   Seems that the potential for this new concept virus called Crossover is being downplayed by the anti-virus software vendors who cannot get their hands on the code from MARA.

Technorati Tags
virus
network security
MARA crossover
wireless security

I read with interest the story about stealing data easily using iPods with a tool a security guy created. I received a 60 GB iPod for Christmas; I can certainly see how an organization’s most valuable and sensitive data could be slurped out without any knowledge of the company. I did an information check of a few of my security practitioner buddies at some very large multinational organizations. One thought all the USB ports on the desktop computers had been removed, but she did a quick check…of the desktops being used by the contracted staff…and found they ALL had active USB ports on them. Supposedly the tool the security guy created is not designed to download actual files, only report how many it found. However, how trivial would it be for an IT dude to write a simple script to find and download the files? I’ve accidentally copied files into my iTunes before, and it recognized them with the extensions renamed to look like MPEG files. Hmm…

Technorati Tags
ipod
ipod privacy
slurp
ipod USB

Are those of you with offices in the EU aware that there is now a new data retention directive to follow?  These to add on top of all the other data retention requirements that exist.  The huge challenge I’ve found many organizations struggling with is how to deal with conflicting retention requirements. 

I urge you to read this regulation if you have any customers or offices within any of the EU countries.  You’ll need to read the entire document to get the full effect, but the following excerpt is of particular interest:

Article 5
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under this
Directive:
  (a) data necessary to trace and identify the source of a communication:
   (1) concerning fixed network telephony and mobile telephony:
    (i) the calling telephone number;
    (ii) the name and address of the subscriber or registered user;

   (2) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the user ID(s) allocated;
    (ii) the user ID and telephone number allocated to any communication entering the public telephone network;
    (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the     communication;
  (b) data necessary to identify the destination of a communication:
   (1) concerning fixed network telephony and mobile telephony:
    (i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which     the call is routed;
    (ii) the name(s) and address(es) of the subscriber(s) or registered user(s);
   (2) concerning Internet e-mail and Internet telephony:
    (i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
    (ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
  (c) data necessary to identify the date, time and duration of a communication:
   (1) concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication;
   (2) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the     Internet access service provider to a communication, and the user ID of the subscriber or registered user;
    (ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
(d) data necessary to identify the type of communication:
   (1) concerning fixed network telephony and mobile telephony: the telephone service used;
   (2) concerning Internet e-mail and Internet telephony: the Internet service used;
  (e) data necessary to identify users’ communication equipment or what purports to be their equipment:
   (1) concerning fixed network telephony, the calling and called telephone numbers;
   (2) concerning mobile telephony:
    (i) the calling and called telephone numbers;
    (ii) the International Mobile Subscriber Identity (IMSI) of the calling party;
    (iii) the International Mobile Equipment Identity (IMEI) of the calling party;
    (iv) the IMSI of the called party;
    (v) the IMEI of the called party;
    (vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;
   (3) concerning Internet access, Internet e-mail and Internet telephony:
    (i) the calling telephone number for dial-up access;
    (ii) the digital subscriber line (DSL) or other end point of the originator of the communication;
  (f) data necessary to identify the location of mobile communication equipment:
   (1) the location label (Cell ID) at the start of the communication;
   (2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.

2. No data revealing the content of the communication may be retained pursuant to this Directive.

Article 6
Periods of retention
Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication.

And the directive continues on with the data protection, data security, and other requirements.

Folks, what are you doing to get your arms around data retention issues?  I see this as a sleeping giant that will emerge sometime soon to surprise and bonk on the head a great many compliance, info sec and privacy officers.  A few forward-looking organizations have established well-defined and effective data retention teams.  Be sure if you have one that you let them know about this new regulation…just in case they have not kept up with the international laws.  If you don’t have a dedicated data retention function, then start planning for how you will address the multitude of data retention requirements!

Technorati Tags
data retention
EU law
regulation compliance

I’m really glad to see Google standing their ground on refusing to submit the details of two months of search data to the DOJ.  I certainly support efforts to crack down on child porn…of course!  I want those scumbags put away for life somewhere even half as hideous as their twisted, demented, sordid actions.  However, is this the best way to do it?  Will it even yield any leads?  Aren’t other methods available for the DOJ to pursue?  Don’t other methods make more sense?  This type of activity, considering everyone within the wide net which is cast around all types of Internet searches, reminds me of a similar type of effort in Iowa a few years ago; law enforcement attempted to solve the incredibly sad, shocking and deplorable discovery of a newborn infant’s body by requiring all hospitals and clinics within a certain area to turn over records of all women who had been pregnant within a certain range of time so they could question all these women to determine which of them had committed the horrendous crime.  The intent is noble in both cases, but the probably that these invasive measures will find the targeted perpetrators is very remote, and these actions completely dismiss the associated privacy impacts, and potential and likely damages, to those whose information is being sifted through en masse.  Remember, when you cast a wide net, a great many other fish get caught and get thrown away that weren’t the target of the expedition; however, those unintended catches certainly pay the ultimate price for what may have been a noble effort by others. 

And what will the DOJ do with all this search information?  Decide, perhaps, that while they have it they might as well see what everyone else is Googling for…and then flag people making what they determine as questionable searches?  It will be interesting to see how the Google case progresses.

Technorati Tags
google
DOJ privacy

I read with great interest the FindLaw story today about the Federal court decision today that, *UNDER GRAMM-LEACH-BLILEY* a financial institution is not obligated to encrypt customer information on mobile workers or on mobile computing devices.  I think the plaintiff went about this the wrong way.  I wonder how the decision would have turned out if this was tested under the FTC Act as an unfair and deceptive business practice?  Then, wouldn’t the court have had to consider the types of security and privacy promises that Brazos had made?  There is a privacy policy on the Brazos site.  The policy states, "The Brazos Group (BRAZOS) is committed to preserving the individual privacy rights of all of the users of its websites. Brazos strongly believes that it has a responsibility to protect from disclosure to unauthorized parties the personally identifying information (name, address, date of birth, social security number, etc.) of its website users. Therefore, Brazos has adopted and implemented a privacy policy to protect the individually identifying account and personal information of its website users."  But then as it goes on it only references the privacy of the information through the website.  However, wouldn’t this initial statement put them in some hot water under the FTC Act?  Hmm…

Technorati Tags
Gramm Leach Bliley
compliance
privacy judgment

I found it very interesting that one of my alma maters, the University of Northern Iowa, reported potential identity theft because, from what the news reported, a "virus" was discovered on one of their laptops containing personal information about 6,000 of theier employees.  When discussing privacy breaches it seems that there is a very wide range of definitions for what constitutes a privacy breach.  This is the first time I’ve seen a virus infecting a laptop being considered a privacy breach.  Perhaps there is something I’m missing…so I checked other sources.  The Des Moines NBC television station reported that the laptop computer was "illegally accessed."  The ABC affiliate in Cedar Falls reported even fewer details.  Radio Iowa reported a few more details, indicating "…a fire in November in the Cedar Falls school’s business building contributed to the breach in computer security…the laptop computer was purchased the day before the fire and since the fire, the business office has been moved twice…"  It also indicated a "bot" was discovered on the computer, which is why they reported the incident as a privacy breach.  It would be interesting to do a little digging to see types of information these bots have already collected, and what the potential is for them.

Technorati Tags
virus
privacy